SharpCollection
Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines.
Is your favorite tool missing? Feel free to open an issue or DM me on twitter @Flangvik
Please note that Cobalt Strike's execute-assembly only accepts binaries compiled with the "Any CPU" configuration.
Azure DevOps?
Each night at 03:00 AM, the Azure DevOps pipeline checks for new commits to all repositories master branch. Branches with changes will be automatically fetched and compiled with different framework targets as well as architectures, before being pushed to this repo.
The pipeline can be found here: https://dev.azure.com/FlangvikDev/SharpRelease
OpSec
Should I blindly deploy any of these binaries during real-life engagements?
F*ck no, always look through anything that you deploy on a client machine or network. Eg https://github.com/dnSpy/dnSpy
Deploying anything blindly from this repo should be reserved for Lab environment, VM's , HTB, detection mapping, and so forth.
Available builds
| Tools \ .NET Framework | NET 4.0 | NET 4.5 | NET 4.7 |
|---|---|---|---|
| ADCollector | ✔️ | ✔️ | ✔️ |
| ADSearch | ❌ | ❌ | ✔️ |
| AtYourService | ✔️ | ✔️ | ✔️ |
| BetterSafetyKatz | ✔️ | ✔️ | ✔️ |
| Grouper2 | ✔️ | ✔️ | ✔️ |
| InveighZero | ✔️ | ✔️ | ✔️ |
| LockLess | ✔️ | ✔️ | ✔️ |
| PurpleSharp | ❌ | ✔️ | ✔️ |
| Rubeus | ✔️ | ✔️ | ✔️ |
| SafetyKatz | ✔️ | ✔️ | ✔️ |
| SauronEye | ❌ | ❌ | ✔️ |
| scout | ✔️ | ✔️ | ✔️ |
| SearchOutlook | ✔️ | ✔️ | ✔️ |
| Seatbelt | ✔️ | ✔️ | ✔️ |
| Sharp-SMBExec | ✔️ | ✔️ | ✔️ |
| SharpAllowedToAct | ✔️ | ✔️ | ✔️ |
| SharpAppLocker | ❌ | ✔️ | ✔️ |
| SharpBlock | ✔️ | ✔️ | ✔️ |
| SharpChisel | ✔️ | ✔️ | ✔️ |
| SharpChrome | ✔️ | ✔️ | ✔️ |
| SharpChromium | ✔️ | ✔️ | ✔️ |
| SharpCloud | ✔️ | ✔️ | ✔️ |
| SharpCrashEventLog | ✔️ | ✔️ | ✔️ |
| SharpDir | ✔️ | ✔️ | ✔️ |
| SharpDoor | ✔️ | ✔️ | ✔️ |
| SharpDPAPI | ✔️ | ✔️ | ✔️ |
| SharpDump | ✔️ | ✔️ | ✔️ |
| SharpFiles | ✔️ | ✔️ | ✔️ |
| SharpGPOAbuse | ✔️ | ✔️ | ✔️ |
| SharpHandler | ✔️ | ✔️ | ✔️ |
| SharpHose | ❌ | ✔️ | ✔️ |
| SharpHound3 | ❌ | ✔️ | ❌ |
| SharpKatz | ✔️ | ✔️ | ✔️ |
| SharpLaps | ✔️ | ✔️ | ✔️ |
| SharpMapExec | ✔️ | ✔️ | ✔️ |
| SharpMiniDump | ✔️ | ✔️ | ✔️ |
| SharpMove | ✔️ | ✔️ | ✔️ |
| SharpNoPSExec | ❌ | ❌ | ✔️ |
| SharpRDP | ❌ | ✔️ | ✔️ |
| SharpReg | ✔️ | ✔️ | ✔️ |
| SharpSecDump | ✔️ | ✔️ | ✔️ |
| SharpShares | ✔️ | ✔️ | ✔️ |
| SharpSphere | ❌ | ✔️ | ✔️ |
| SharpSpray | ✔️ | ✔️ | ✔️ |
| SharpStay | ✔️ | ✔️ | ✔️ |
| SharpSvc | ❌ | ❌ | ✔️ |
| SharpTask | ✔️ | ✔️ | ✔️ |
| SharpUp | ✔️ | ✔️ | ✔️ |
| SharpView | ❌ | ✔️ | ✔️ |
| SharpWMI | ✔️ | ✔️ | ✔️ |
| SharpWebServer | ✔️ | ✔️ | ✔️ |
| SharpZeroLogon | ✔️ | ✔️ | ✔️ |
| Shhmon | ✔️ | ✔️ | ✔️ |
| Snaffler | ✔️ | ❌ | ❌ |
| SqlClient | ✔️ | ✔️ | ✔️ |
| StandIn | ✔️ | ✔️ | ✔️ |
| StickyNotesExtract | ✔️ | ✔️ | ✔️ |
| SweetPotato | ❌ | ✔️ | ✔️ |
| ThunderFox | ✔️ | ✔️ | ✔️ |
| TruffleSnout | ❌ | ✔️ | ✔️ |
| Watson | ✔️ | ✔️ | ✔️ |
| winPEAS | ❌ | ✔️ | ✔️ |
| WMIReg | ✔️ | ✔️ | ✔️ |
Sources / Credits
Links for all these amazing tools are below :) title @leechristensen
- ADCollector - C# tool to quickly extract valuable information from the Active Directory environment @dev-2null
- ADSearch - C# tool to help query AD via the LDAP protocol @tomcarver16 (Only NET 4.7)
- AtYourService - C# .NET Assembly for Service Enumeration @mitchmoser
- BetterSafetyKatz - Fork of SafetyKatz dynamically fetches the latest Mimikatz, runtime patching signatures and PE loads Mimikatz into memory. @Flangvik
- Grouper2 - C# tool to help find security-related misconfigurations in Active Directory Group Policy. @mikeloss
- InveighZero - Windows C# LLMNR/mDNS/NBNS/DNS/DHCPv6 spoofer/man-in-the-middle tool . @Kevin-Robertson
- LockLess - Allows for the copying of locked files. @GhostPack
- PurpleSharp - C# adversary simulation tool that executes adversary techniques with the purpose of generating attack telemetry in monitored Windows environments. @mvelazc0
- Rubeus - C# toolset for raw Kerberos interaction and abuses. @GhostPack
- SafetyKatz - Combination of slightly modified version of @gentilkiwi's Mimikatz project and @subTee's .NET PE Loader. @GhostPack
- SauronEye - C# search tool find specific files containing specific keywords (.doc, .docx, .xls, .xlsx). @_vivami
- scout - A .NET assembly for performing recon against hosts on a network . @jaredhaight
- SearchOutlook - C# tool to search through a running instance of Outlook for keywords @RedLectroid
- Seatbelt - Performs a number of security oriented host-survey "safety checks". @GhostPack
- Sharp-SMBExec - A native C# conversion of Kevin Robertsons Invoke-SMBExec powershell script @checkymander
- SharpAllowedToAct - C# implementation of a computer object takeover through Resource-Based Constrained Delegation (msDS-AllowedToActOnBehalfOfOtherIdentity) @pkb1s
- SharpAppLocker - C# port of the Get-AppLockerPolicy PS cmdlet with extended features @Flangvik
- SharpBlock - A method of bypassing EDR's active projection DLL's by preventing entry point exection. @CCob
- SharpChisel - C# Chisel Wrapper. @shantanu561993
- SharpChrome - Chrome-specific implementation of SharpDPAPI capable of cookies and logins decryption/triage. @GhostPack
- SharpChromium - C# Project to retrieve Chromium data, such as cookies, history and saved logins. @djhohnstein
- SharpCloud - Simple C# for checking for the existence of credential files related to AWS, Microsoft Azure, and Google Compute. @chrismaddalena
- SharpCrashEventLog - C# port of LogServiceCrash @slyd0g @limbenjamin
- SharpDir - C# tool to search both local and remote file systems for files. @jnqpblc
- SharpDoor - C# tool to allow multiple RDP (Remote Desktop) sessions by patching termsrv.dll file. @infosecn1nja
- SharpDPAPI - C# port of some Mimikatz DPAPI functionality. @GhostPack
- SharpDump - SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality. @GhostPack
- SharpFiles - C# tool to search for files based on SharpShares output. @fullmetalcache
- SharpGPOAbuse - SharpGPOAbuse is a .NET application written in C# that can be used to take advantage of a user's edit rights on a Group Policy Object (GPO). @FSecureLABS
- SharpHandler - C# tool for stealing/duping handles to LSASS @Jean_Maes_1994
- SharpHose - Asynchronous Password Spraying Tool in C# for Windows Environments . @ustayready
- SharpHound3 - C# Rewrite of the BloodHound Ingestor. @BloodHoundAD
- SharpKatz - PURE C# port of significant MimiKatz functionality such as logonpasswords, dcsync, etc. @b4rtik
- SharpLaps - A C# tool to retrieve LAPS passwords from LDAP @pentest_swissky
- SharpMapExec - C# version of @byt3bl33d3r's tool CrackMapExec @cube0x0
- SharpMiniDump - C# tool to Create a minidump of the LSASS process from memory @b4rtik
- SharpNoPSExec - C# tool allowing file less command execution for lateral movement. @juliourena
- SharpMove - C# tool for performing lateral movement techniques @0xthirteen
- SharpRDP - C# Remote Desktop Protocol Console Application for Authenticated Command Execution @0xthirteen
- SharpReg - C# tool to interact with the Remote Registry service api. @jnqpblc
- SharpSecDump - C# port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py @G0ldenGunSec
- SharpShares - Enumerate all network shares in the current domain. @djhohnstein
- SharpSphere - C# SharpSphere has the ability to interact with the guest operating systems of virtual machines managed by vCenter. @jkcoote & @grzryc
- SharpSpray - C# tool to perform a password spraying attack against all users of a domain using LDAP. @jnqpblc
- SharpStay - .NET project for installing Persistence. @0xthirteen
- SharpSvc - C# tool to interact with the SC Manager API. @jnqpblc (Only NET 4.7)
- SharpTask - C# tool to interact with the Task Scheduler service api. @jnqpblc
- SharpUp - C# port of various PowerUp functionality. @GhostPack
- SharpView - C# implementation of harmj0y's PowerView. @tevora-threat
- SharpWMI - C# implementation of various WMI functionality. @GhostPack
- SharpWebServer - A Red Team oriented simple HTTP & WebDAV server written in C# with functionality to capture Net-NTLM hashes. @mariuszbit
- SharpZeroLogon - C# port of CVE-2020-1472 , a.k.a. Zerologon. @buffaloverflow
- Shhmon - Neutering Sysmon via driver unload. @Shhmon
- Snaffler - C# tool for pentesters to help find delicious candy needles (creds mostly, but it's flexible). @SnaffCon
- SqlClient - C# .NET mssql client for accessing database data through beacon. @FortyNorthSecurity
- StandIn - C# based small AD post-compromise toolkit. @FuzzySec
- StickyNotesExtract - C# tool that extracts data from the Windows Sticky Notes database. @V1V1
- SweetPotato - Local Service to SYSTEM privilege escalation from Windows 7 to Windows 10 / Server 2019 . @CCob
- ThunderFox - C# Retrieves data (contacts, emails, history, cookies and credentials) from Thunderbird and Firefox. @V1V1
- TruffleSnout - C# based iterative AD discovery toolkit for offensive operators. @dsnezhkov
- Watson - Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities . @rasta-mouse
- winPEAS - PEASS - Privilege Escalation Awesome Scripts (winPEAS). @carlospolop
- WMIReg - C# PoC to interact with local/remote registry hives through WMI. @airzero24